2014 Annual Report
C. OFFICE OF INSPECTOR GENERAL’S ASSESSMENT OF THE MANAGEMENT AND PERFORMANCE CHALLENGES FACING THE FDIC
Under the Reports Consolidation Act of 2000, the Office of Inspector General (OIG) identifies the management and performance challenges facing the FDIC and provides its assessment to the Corporation for inclusion in the FDIC’s Annual Performance and Accountability Report. In doing so, the OIG keeps in mind the FDIC’s overall program and operational responsibilities; financial industry, economic, and technological conditions and trends; areas of congressional interest and concern; relevant laws and regulations; the Chairman’s priorities and corresponding corporate goals; and ongoing activities to address the issues involved. The OIG believes that the FDIC faces challenges in the critical areas listed below that will continue to occupy much of the Corporation’s attention and require its sustained focus for the foreseeable future.
Carrying Out Dodd-Frank Act Responsibilities
The Dodd-Frank Wall Street Reform and Consumer Protection Act (the Dodd-Frank Act) created a comprehensive new regulatory and resolution framework designed to avoid the severe consequences of financial instability. Title I of the Dodd-Frank Act provides tools for regulators to impose enhanced supervision and prudential standards on systemically important financial institutions (SIFIs). Title II provides the FDIC with a new orderly liquidation authority for SIFIs, subject to a systemic risk determination by statutorily-designated regulators. The FDIC has made progress toward implementing its systemic resolution authorities under the Dodd-Frank Act, in large part due to the efforts of an active cross-divisional working group composed of senior FDIC officials, but challenges remain. These challenges involve the FDIC’s ability to fulfill its insurance, supervisory, receivership management, and resolution responsibilities as it meets the requirements of the Dodd-Frank Act. These responsibilities are cross-cutting and are carried out by staff throughout the Corporation’s headquarters and regional divisions and offices, including in the Office of Complex Financial Institutions, an office established in response to the Dodd-Frank Act. That office is taking steps to realign organizational responsibilities for Title I and Title II tasks in the interest of ensuring the most efficient and complementary efforts of staff involved in both.
As discussed more fully below, in the coming year, those involved in Dodd-Frank Act activities will continue to evaluate the resolution plans submitted by the largest bank holding companies and other SIFIs under Title I; develop strategies for resolving SIFIs under Title II; work to promote cross-border cooperation for the orderly resolution of a global SIFI; and coordinate with the other regulators to develop policy to implement the provisions of the Dodd-Frank Act.
In the interest of operational readiness to resolve a SIFI, the Corporation will need to determine optimum staffing, needed expertise, and effective organizational structures to handle current and future responsibilities. In that regard, it will also need to leverage subject-matter expertise currently existing in the FDIC’s various divisions and ensure effective and efficient communication, coordination, and information sharing as those responsible carry out their respective roles.
Maintaining Strong Information Technology Security and Governance Practices
Key to achieving the FDIC’s mission of maintaining stability and public confidence in the nation’s financial system is safeguarding the sensitive information, including personally identifiable information that the FDIC collects and manages in its role as federal deposit insurer and regulator of state nonmember financial institutions. Further, as an employer, an acquirer of services, and a receiver for failed institutions, the FDIC obtains considerable amounts of sensitive information from its employees, contractors, and failed institutions. Increasingly sophisticated security risks and global connectivity have resulted in both internal and external risks to that sensitive information. Internal risks include errors and fraudulent or malevolent acts by employees or contractors working within the organization. External threats include a growing number of cyber-based attacks that can come from a variety of sources, such as hackers, criminals, foreign nations, terrorists, and other adversarial groups. Such threats underscore the importance of a strong, enterprise-wide information security program.
During 2013, the FDIC Chairman announced significant changes to the FDIC’s information security governance structure to address current and emerging risks in the information technology (IT) and information security environments. Among these changes, the FDIC established the IT/Cyber Security Oversight Group to provide a senior-level forum for assessing cyber security threats and developments affecting the FDIC and the banking industry. Subsequently, the FDIC Chairman separated the roles and responsibilities of the Chief Information Officer (CIO) and Director of the Division of Information Technology (DIT). Both positions had previously been held by the same individual. The CIO now reports directly to the FDIC Chairman and has broad strategic responsibility of IT governance, investments, program management, and information security. The CIO also serves as the FDIC’s Chief Privacy Officer. Finally, the Chief Information Security Officer (CISO) and related staff, who had formerly reported to the Director of DIT, now report to the CIO. The purpose of this realignment was to ensure that the CISO has the ability to provide an independent perspective on security matters to the CIO, and that the CIO has the authority and primary responsibility to implement an agency-wide information security program.
Throughout 2014, the benefits of the new IT governance structure began to be realized. During 2015, a challenging priority for the FDIC will be to continue to adapt to these organizational changes and maintain effective communication and collaboration among all parties involved in ensuring a robust, secure IT operating environment that meets the day-to-day and longer-term needs of the FDIC employees who depend on it. The Corporation will also need to ensure that its business continuity and disaster recovery plans are effective in addressing the impacts of natural disasters or other events that disrupt its business processes and activities. A permanent CIO came on board in December 2014 and will continue to carry out needed information security initiatives. Among those are strategies to ensure the security of the FDIC’s systems and infrastructure and efforts to support communications with other federal agencies if a widespread emergency occurred.
Maintaining Effective Supervisory Activities and Preserving Community Banking
The FDIC’s supervision program promotes the safety and soundness of FDIC-supervised insured depository institutions. The FDIC is the primary federal regulator for 4,138 FDIC-insured, state-chartered institutions that are not members of the Board of Governors of the Federal Reserve System (FRB). As such, the FDIC is the lead federal regulator for the majority of community banks. As the FDIC operates in a post-crisis environment, it must continue to apply lessons learned over the past years of turmoil. One key lesson is the need for earlier regulatory response when risks are building. For example, banks may be tempted to take additional risks, engage in imprudent concentrations, or loosen underwriting standards. Some banks are also introducing new products or lines of business or seeking new sources for non-interest income, all of which can lead to interest rate risk, credit risk, operational risk, and reputational risk. Such risks need to be managed and addressed early on during the “good times” before a period of downturn. FDIC examiners need to identify problems, bring them to the attention of bank management, follow up on problems, recommend enforcement actions as needed, and be alert to such risks as Bank Secrecy Act and anti-money laundering issues. With respect to important international concerns, the FDIC also needs to support development of sound global regulatory policy through participation on the Basel Committee on Banking Supervision and related sub-groups, and to address such matters as the Basel III capital accord and Basel liquidity standards.
Importantly, with respect to the FDIC’s involvement with the Dodd-Frank Act, the Division of Risk Management Supervision’s (RMS) Complex Financial Institutions Group is responsible for the monitoring function for SIFIs. This group is primarily responsible for monitoring risk within and across large, complex financial companies for back-up supervisory and resolution readiness purposes. In that connection, RMS is also playing a key role in reviewing and providing feedback on resolution plans submitted by companies covered by Title I of the Dodd-Frank Act, as part of a shared responsibility with the FRB.
Of critical importance with respect to the FDIC’s supervisory role, and in light of technological changes, increased use of technology service providers (TSP), new delivery channels, and cyber threats, the FDIC’s IT examination program needs to be proactive. Also, bankers and Boards of Directors need to ensure a strong control environment and sound risk management and governance practices in their institutions. Controls need to be designed not only to protect sensitive customer information, but also to guard against intrusions that can compromise the integrity and availability of operations, information and transaction processing systems, and data. Given the complexities of the range of cyber threats, the FDIC needs to ensure its examination workforce has the needed expertise to effectively carry out its IT examination responsibilities.
Of special note, in partnership with the Federal Financial Institutions Examination Council, the FDIC has developed a framework for conducting IT examinations that covers a broad spectrum of technology, operational, and information security risks to both institutions and TSPs. Importantly, one TSP can service hundreds or even thousands of financial institutions, so that the impact of security incidents in one TSP can have devastating ripple effects on those institutions. In the coming months, the Corporation needs to continue efforts, along with the other regulators, to address these risks and use all available supervisory and legal authorities to ensure the continued safety and soundness of financial institutions and affiliated third-party entities. It also needs to ensure effective information-sharing about security incidents with regulatory parties and other federal groups established to combat cyber threats in an increasingly interconnected world.
The Chairman has made it clear that one of the FDIC’s most important priorities is the future of community banks and the critical role they play in the financial system and the U.S. economy as a whole. Local communities and small businesses rely heavily on community banks for credit and other essential financial services. These banks foster economic growth and help to ensure that the financial resources of the local community are put to work on its behalf. Consolidations and other far-reaching changes in the U.S. financial sector in recent decades have made community banks a smaller part of the U.S. financial system. To ensure the continued strength of the community banks, the Corporation will need to sustain initiatives such as ongoing research, technical assistance to the banks by way of training videos on key risk management and consumer compliance matters, and continuous dialogue with community banking groups.
Maintaining a strong examination program, conducting vigilant supervisory activities for both small and large banks, applying lessons learned, and being attuned to harmful cyber threats in financial institutions and TSPs will be critical to ensuring stability and continued confidence in the financial system going forward.
Carrying Out Current and Future Resolution and Receivership Responsibilities
Through purchase and assumption agreements with acquiring institutions, the Corporation has entered into shared-loss agreements (SLAs). Since loss sharing began during the most recent crisis in November 2008, the FDIC resolved 304 failures with accompanying SLAs; the initial covered asset balance was $216.5 billion. As of December 31, 2014, 281 receiverships still have active SLAs, with a current covered asset balance of $54.6 billion.
Under these agreements, the FDIC agrees to absorb a portion of the loss—generally 80 to 95 percent—which may be experienced by the acquiring institution with regard to those assets, for a period of up to 10 years. As another resolution strategy, the FDIC entered into 35 structured sales transactions involving 43,315 assets with a total unpaid principal balance of $26.2 billion. Under these arrangements, the FDIC retains a participation interest in future net positive cash flows derived from third-party management of these assets.
Other post-closing asset management activities continue to require FDIC attention. FDIC receiverships manage assets from failed institutions, mostly those that are not purchased by acquiring institutions through purchase and assumption agreements or involved in structured sales. As of December 31, 2014, the Division of Resolutions and Receiverships (DRR) was managing 481 active receiverships with assets in liquidation totaling about $7.7 billion. As receiver, the FDIC seeks to expeditiously wind up the affairs of the receiverships. Once the assets of a failed institution have been sold and the final distribution of any proceeds is made, the FDIC terminates the receivership.
As recovery from the crisis continues, some of these risk-sharing agreements will be winding down and certain currently active receiverships will be terminated. Given the substantial dollar value and risks associated with the risk sharing activities and other receivership operations, the FDIC needs to ensure continuous monitoring and effective oversight to protect the FDIC’s financial interests.
The FDIC increased its permanent resolution and receivership staffing and significantly increased its reliance on contractor and term employees to fulfill the critical resolution and receivership responsibilities associated with the ongoing FDIC interest in the assets of failed financial institutions. Now, and as discussed later in this document, as the number of financial institution failures continues to decline, the Corporation is reshaping its workforce and adjusting its budget and resources accordingly. Between January 2012 and April 2014, the FDIC closed three of the temporary offices it had established to handle the high volume of bank failures. As a result, authorized staffing for DRR, in particular, fell from a peak of 2,460 in 2010 to 1,463 proposed for 2013, which reflected a reduction of 393 positions from 2012 and 997 positions over three years. Proposed DRR authorized staff for 2014 was 916. Authorized staffing for 2015 is 756. Of note, DRR will continue to substantially reduce its nonpermanent staff each year, based on declining workload.
In the face of these staff reductions and the corresponding loss of specialized experience and expertise, however, the Corporation must also continue to review the resolution plans of large bank holding companies and designated nonbank holding companies to ensure their resolvability under the Bankruptcy Code, if necessary, and in cases where their failure would threaten financial stability, administer their orderly liquidation. Carrying out such activities could pose significant challenges to those in DRR who have historically carried out receivership and resolution activities. For example, the Complex Financial Institutions branch of DRR works to identify and mitigate risks in large insured depository institutions, bank holding companies, and nonbank SIFIs. One of DRR’s challenges in these areas will be to enhance the FDIC’s capability to successfully administer deposit insurance claims determinations for large or complex resolutions. It will also need to ensure operational readiness for related accounting and investigations work streams.
Ensuring the Continued Strength of the Insurance Fund
Insuring deposits remains at the heart of the FDIC’s commitment to maintain stability and public confidence in the nation’s financial system. To maintain sufficient Deposit Insurance Fund (DIF) balances, the FDIC collects risk-based insurance premiums from insured institutions and invests the deposit insurance funds.
In the aftermath of the financial crisis, FDIC-insured institutions continue to make gradual but steady progress. Continuing to replenish the DIF in a post-crisis environment is a critical activity for the FDIC. The DIF balance had dropped below negative $20 billion during the worst time of the crisis. During the fourth quarter of 2014, the DIF balance increased by $8.5 billion, from $54.3 billion at September 30, 2014, to an all-time high of $62.8 billion. The most recent quarterly increase was primarily due to $2.0 billion of assessment revenue and a negative $6.8 billion provision for insurance losses, partially offset by $408 million of operating expenses.
While the fund is considerably stronger than it has been, the FDIC must continue to monitor the emerging risks that can threaten fund solvency in the interest of providing the insurance coverage that depositors have come to rely upon. In that regard, the FDIC will need to continue to regularly disseminate data and analysis on issues and risks affecting the financial services industry to bankers, supervisors, the public, and other stakeholders.
Given the volatility of the global markets and financial systems, new risks can emerge without warning and threaten the safety and soundness of U.S. financial institutions and the viability of the DIF. The FDIC must be prepared for such a possibility. As part of its efforts, the FDIC needs to continue its collaboration with other agencies in helping to ensure financial stability and protect the DIF. One important means of doing so is through participation on the Financial Stability Oversight Council (FSOC), created under the Dodd-Frank Act. This Council was established to provide comprehensive monitoring of stability in the U.S. financial system by identifying and responding to emerging risks to U.S. financial stability and by promoting market discipline. The FDIC Chairman is a member of FSOC, which has the authority to designate for enhanced prudential supervision by the Federal Reserve System any financial firm whose material financial distress could pose a threat to U.S. financial stability. The FDIC’s active involvement on FSOC will be important as the Council members join forces to confront the many potential threats to the nation’s financial system and to the FDIC in its role as insurer.
Promoting Consumer Protections and Economic Inclusion
The FDIC carries out its consumer protection role by providing consumers with access to information about their rights and disclosures that are required by federal laws and regulations. Importantly, it also examines the banks where the FDIC is the primary federal regulator to determine the institutions’ compliance with laws and regulations governing consumer protection, fair lending, and community investment. These activities require collaboration with other regulatory agencies. The FDIC also coordinates with the Consumer Financial Protection Board, created under the Dodd-Frank Act, on consumer issues of mutual interest and monitors rulemakings related to mortgage lending and other types of consumer financial services and products. The FDIC will need to continue to assess the impact of such rulemakings on supervised institutions, communicate key changes to stakeholders, and train examination staff accordingly.
The FDIC continues to work with the Congress and others to ensure that the banking system remains sound and that the broader financial system is positioned to meet the credit needs of consumers and the economy, especially the needs of creditworthy households that may experience distress. A challenging priority articulated by the Chairman is to continue to increase access to financial services for the unbanked and underbanked in the United States. The Corporation will be continuing its Money Smart program and planning for its biennial survey conducted jointly with the U.S. Census Bureau to assess the overall population’s access to insured institutions. Additionally, the FDIC’s Advisory Committee on Economic Inclusion, composed of bankers, community and consumer organizations, and academics, will continue to explore strategies to bring the unbanked into the financial mainstream. The FDIC’s Alliance for Economic Inclusion initiative seeks to collaborate with financial institutions; community organizations; local, state, and federal agencies; and other partners to form broad-based coalitions to bring unbanked and underbanked consumers and small businesses into the financial mainstream.
Successful activities in pursuit of this priority will continue to require effort on the part of the FDIC going forward. The FDIC will need to sustain ongoing efforts to carry out required compliance and community reinvestment examinations, coordinate with the other financial regulators and CFPB on regulatory matters involving financial products and services, and pursue and measure the success of economic inclusion initiatives to the benefit of the American public.
Implementing Workforce Changes and Budget Reductions
As referenced earlier, as the number of financial institution failures continues to decline, the FDIC has been reshaping its workforce and adjusting its budget and human resources as it seeks a balanced approach to managing costs while achieving mission responsibilities. Over the past several years of recovery, the FDIC closed all three of the temporary offices charged with managing many receivership and asset sales activities on the East and West Coasts and in the Midwest.
During the 2015 planning and budget process, the Corporation reassessed its current and projected workload along with trends within the banking industry and the broader economy. Based on that review, the FDIC expects a continuation of steady improvements in the global economy, a small number of insured institution failures, gradual reductions in post-failure receivership management workload, and significant further reductions in the number of 3-, 4-, and 5-rated institutions. While the FDIC will continue to need some temporary and term employees over the next several years to complete the residual workload from the financial crisis, industry trends confirm that the need for nonpermanent employees over the next several years will steadily decrease.
Given those circumstances, the FDIC Board of Directors approved a $2.32 billion Corporate Operating Budget for 2015, 3 percent lower than the 2014 budget. In conjunction with its approval of the 2015 budget, the Board also approved an authorized 2015 staffing level of 6,875 positions, down from 7,200 currently authorized, a net reduction of 325 positions. This is the fifth consecutive reduction in the FDIC’s annual operating budget.
As conditions improve throughout the industry and the economy, the FDIC will continue its efforts to achieve the appropriate level of resources. At the same time, however, it needs to remain mindful of ever-present risks and other uncertainties in the economy that may prompt the need for additional resources and new skill sets and expertise that may be challenging to obtain.
In that regard, the FDIC is continuing to work toward integrated workforce development processes as it seeks to bring on the best people to meet the FDIC’s changing needs and priorities, and do so in a timely manner. The FDIC has long promoted diversity and inclusion initiatives in the workplace. Section 342 of the Dodd-Frank Act reiterates the importance of standards for assessing diversity policies and practices and developing procedures to ensure the fair inclusion and utilization of women and minorities in the FDIC’s contractor workforce. The Dodd-Frank Act also points to the Office of Minority and Women Inclusion as being instrumental in diversity and inclusion initiatives within the FDIC’s working environment. This office will be challenged as it works to ensure it has the proper staff, expertise, and organizational structure to successfully carry out its advisory responsibilities to ensure diversity and inclusion.
For all employees, in light of a post-crisis, transitioning workplace, the FDIC will seek to sustain its emphasis on fostering employee engagement and morale. Its diversity and inclusion goals and initiatives, Workplace Excellence Program, and workforce development efforts are positive steps in that direction and should continue to create a working environment that warrants the FDIC’s recognition as a Best Place to Work.
Ensuring Effective Enterprise Risk Management Practices
Enterprise risk management is a critical aspect of governance at the FDIC. Notwithstanding a stronger economy and financial services industry, the FDIC’s enterprise risk management framework and related activities need to be attuned to emerging risks, both internal and external to the FDIC that can threaten corporate success. As evidenced in the challenges discussed above, certain difficult issues may fall within the purview of a single division or office, while others are cross-cutting within the FDIC or involve coordination with the other financial regulators and external parties. The Corporation needs to adopt controls, mechanisms, and risk models that can address a wide range of concerns—from specific, everyday risks such as those posed by personnel security practices and records management activities, for example, to the far broader concerns of the ramifications of an unwanted and harmful cyber-attack or the failure of a large bank or SIFI.
The Corporation’s stakeholders—including the Congress, American people, media, and others— expect effective governance, sound risk management practices, and vigilant regulatory oversight of the financial services industry to avoid future crises. Leaders and individuals at every working level throughout the FDIC need to understand current and emerging risks to the FDIC mission and be prepared to take necessary steps to mitigate those risks as changes occur and challenging scenarios that can undermine the FDIC’s short- and long-term success present themselves.